Page MenuHomePhorge

Hide profile pictures and descriptions of disabled users
Open, Needs TriagePublic

Description

Marking as security due to potential abuse by spammers.

We really should hide the profiles and profile pictures of disabled users. I think we should do this non-destructively, hide them by checking the disabled flag then hiding the UI elements. That would allow for a profile that's restored to have the same information as before - AKA if a user is accidentally disabled by a rogue admin account then that user can be re-enabled without loosing anything.

This will be easy for profile descriptions (as they're in one place). This will be hard for profile pictures (as they're all over).

Event Timeline

Yes I agree, this is something I did on wikimedia's instance because we were getting a lot of spam with links in the profile description.

We could also consider installing https://phabricator.wikimedia.org/source/phabricator-ava/ which is my attempt at automatically disabling accounts that are using bots to do mass spam edits. It's essentially just looking at how many recent edits an account has made and disabling the account when it appears to be making more requests than reasonable for a human user (there are some tunable configuration parameters to fine-tune the threshold, by default it's pretty permissive because wikimedia has some power users who are not spamming but nontheless capable of making many requests in a short time )

As discussed in {E1}, we will actually add another action aside from "Disable Account." This action will mark the account as a spammer, which will take the following non-distructive actions:

  • Hide all comments by the user
  • Hide the profile picture
  • Hide the user's description, title, and badges
  • Disable the account.
  • Others?

In the future, we need to discuss:

  • Whether to roll back all user's changes to objects. This will be distructive.
  • Add support for hCaptcha

@20after4 Thank you for the link! I would not be opposed to adding something similar to upstream. In this case, we suspect that our spammers are human so it might not help a lot, but it's worth a look.

For an account marked as spam we might also want to hide their username from the UI, essentially hiding all possibly user-entered text from appearing on any page so it won't show up in search results.

fwiw the phabricator-ava project also has the ability to roll back all changes by a user, however, it won't touch tasks which have been subsequently edited by a different user so the automated tool must be used before attempting to clean up manually or the automation fails.

Essentially it just tries to reverse all of the transactions by a given user by playing them back in reverse order and reversing the old/new values.

Maybe we should hide profile details for newly registered users as well? Requiring approval would reduce the value that spammers derive from registering accounts. At least it would raise the amount of effort required of the spammers but unfortunately would also raise the effort required of us to monitor / approve accounts . and we would need to define what the user is required to do to prove themselves.

avivey shifted this object from the Restricted Space space to the S1 Public space.Jul 3 2023, 11:28
avivey changed the visibility from "Custom Policy" to "Public (No Login Required)".Tue, May 14, 16:00